HIV, Customer data security and You.

News broke yesterday that 780 names and email addresses of HIV clinic patients in London were accidentally leaked in a huge lapse in data security.

The leak was the result of a tiny mistake made by an employee of the clinic (who is said to be distraught) while setting up a clinic service update email to be sent to those receiving treatment. Instead of copying 780 email addresses into the ‘bcc’ line, they pasted them into the ‘cc’ line, enabling every recipient (and everybody the email is then forwarded to) to openly read the entire list of addresses prefixed with the owners first and last names.

The leak email

The damage is obvious. The fallout, instant.

Within hours, recipients had confirmed that they themselves had recognised names on the list. Names of friends or acquaintances that they were unaware were affected by the virus in some way. In contrast to the recent Ashley Madison leak, these people did not sign up to the service out of choice yet the effects are painfully similar. This data changes the way society treats those whose details were leaked, and they already know it. I wholeheartedly wish this wasn’t true for the victims of this particular leak, but we all know how this works.

Two major, life-changing data leaks in two months. Suicides, broken homes, public shaming, hate campaigns and death threats. This is my cue to speak the fuck up. Somebody needs to take the fall for this.

So who’s to blame? The majority of commentators fall either side of the fence. Some blame the individual. That would be the sender of the HIV clinic email, or the Ashley Madison hacker that leaked the data. The others blame the herd. For the clinic that would be the patients for using email addresses with identifiable information or for Ashley Madison, it’s the cheating spouses that signed up (which, by the way, is called victim blaming. Don’t do that).

The real answer is all of us.

Yes YOU. Not just those whose details were leaked. Not just those who did the leaking. All of us.

Businesses need to take serious responsibility for data security, and the public needs to hold them accountable. It’s funny how we consider ourselves to be ‘the general public’. If we are not senior management or board members in the companies we work for, we assume the role of the individuals that companies exist to serve. The reality is that 95% of people work for a company that handles customer data, and the next big data leak is just around the corner. The problem is that technology moves too fast and too few of us attempt to keep up. We don’t understand customer data security but we’re happy to put someone else’s data out on the Internet on a system built by people we have never met, using security features we have never heard of.

Allow me to scare you a little bit. Those professional looking websites you sign up to and hand over your email address, personal details, credit card information and IP address to? The people that run many of those companies have absolutely no clue how your data is stored, how it is used, or how it’s vulnerable to attack. The IT department might if you’re lucky… But usually the knowledge of the systems lies with the third party developers that built it, or dies with that guy that set up the procedure but moved on to another job 5 years ago. And when it was created, the infrastructure was decided upon at the time by a hung-over developer and has barely changed since.

I’m not kidding… I used to be that hung-over developer.

Your data is stored in multiple relational databases, completely unencrypted. Once downloaded (after server access is gained), the database table primary keys (usually your site / user ID number) can be used to pull all of your data from all of the database tables and match it together. Your profile information, address, payment information, messages, images, friends lists. Everything. That website may even be hosted on Go Daddy and the database can be accessed by logging into their hosting account and flicking some switches. One password to steal. Simple.

The bottom line is that nobody gives a crap until it happens to his or her customers. After that, it’s panic stations, firefighting and a monster of a PR campaign. It’s unfair to say that all large web services are insecure. The likes of Google, Facebook, Amazon, Apple and the other web giants have huge teams of experts managing your data and are absolutely devoted to keeping it safe (OK, maybe not always private, but safe from hackers at least). And it’s unfair to say that all smaller companies are that blasé about security, or clueless about it’s service. But, should a marketing coordinator for a mid level dating site be expected to know that their Joomla! build is dangerously out of date? Should a sales manager for a butt plug manufacturer know that their pass-worded laptop can be accessed with ease in about 35 seconds? And as for the HIV clinic, is it the staff’s responsibility to know what an ESP is, what it’s for and how to use it to safely deploy emails? These staff members are not at fault… but they can help to fight the problem.

We need to take a stand and take responsibility for the data within our reach. I’m calling on all of you to stand up and pay attention within your own organisations. If you work in an office, how does your department handle customer data security? Is it secure? Are you sure? If you work in a senior management role, which of your systems collect or utilise customer data? Who is responsible for it’s safety? Is it secure? Are you sure? If you personally use customer data to perform your duties, are you using the right tools or processes to do so? Can someone steal it from you? You guessed it… Are you sure?

If you are an entrepreneur, CEO, COO, Board member or department head, I beg you to spend some time getting to know your data. Look at your processes, your security and your contingency plan. Learn about modern encryption and data security. Hire a consultant. Update your systems. Run penetration testing. Do something. Do ANYTHING.